INSIGHTS

Hackers Are People Too

Simon Morse

Security Architect, Versent

I put off for quite a while watching the recent Jobs movie as I was convinced it wouldn’t be accurate, and instead would descend into some sort of a grovelling attempt to gloss over the more unpleasant episodes of the Steve Jobs story. I got ambushed by my family one night and so I found myself sitting down watching in apprehension, but I have to say I was pleasantly surprised that it appeared to be a fairly honest version of events.

June 21, 2017

For those who didn’t see it, the early section
dealt with Steve at University and I think gave a glimpse of how the roots of
the IT industry based in San Francisco Bay area (aka Silicon Valley) overlapped
with the tail end of the hippy movement.

To a large extent that non-conformist view
of the world still persists to this day and it’s not just in big organisations
like Apple. Earlier this year I caught up with a mate who had been working in
Saudi Arabia for a few years since we’d last worked together. My favourite
story of his was when he was working in San Francisco during the .com boom.
There were hammocks for employees and posts out the front specifically designed
to tie up your pets (if you didn’t want to bring them to your desk…) Perhaps
with the exception of a few players like Google and Amazon, most of this wave
of innovation went bust or got gobbled up by the big players once the money
dried up. But it does describe the strain of avant-garde curiosity and sense of
downright mischief that is still a major driving force in the IT industry.

Although some civil libertarians may
support “hacktivism” through groups such as Anonymous or WikiLeaks as a
non-violent form of protest on particular issues, by and large Hacking is a bit
of a dirty word now. Every month or so there will be a mainstream news media
story about some sort of criminal gang that has systematically ripped off
consumers, small businesses or banks. Often the scale of these scams run into
the millions and a large part of my career has been spent trying to help
organisations assess how likely these sorts of events are and devise ways to
prevent, detect and react. But it wasn’t always this way. In the early days, to
be a hacker was a mark of respect from your peers – it meant that you were good
at your job, but in a creative way. Like a Steve Jobs.

I think the term is now beyond
rehabilitation, but I can describe the thought process that makes one a good
hacker because I use it all the time myself. Here’s how it works:

Step 1 - understand in depth how the system
works in the mind of the designer. At this stage we’re completely in line with
bread and butter IT practice. Think of this as determining the ground rules for
the system.

Step 2 – try and fiddle with individual
elements of the system in a way that the designer hadn’t forseen. This is where hacking starts to diverge from
traditional IT. It requires curiosity, creative insight and the ability to put
convention to one side while you explore possibilities. Think of this as
bending our established rules in some way to see what happens.

Step 3 – see if this unexpected use can
benefit you or someone else in some way. I often need to do this in my security
analysis. In the industry we give it the tag of “threat modelling”, but really
I’m just hacking the system in exactly the same way that those up to no good
are.

Hopefully you can see how the
non-conformist strain of thinking from west coast US was key in giving us some
of the more elegant improvements that we’ve seen emerging to change
conventional thinking for companies such as Apple and Google. If we stack up
conventional thinking against this approach, we can see IBM in 1995 spending
three and a half billion acquiring Lotus for what turned out to be dead end
spreadsheeting and email products.
Similarly, Bill Gates was reported in a 1994 conference declaring “I see
little commercial potential for the Internet for at least 10 years”. There’s a lot of mythology around Microsoft
and they executed a pretty swift U-turn on their previous internet strategy
shortly after this, so the exact quote may be apocryphal, but both of these
examples show us that traditional thinking can at best allow us to continue
exploiting current revenue streams or market domination.

I work in IT industry, so I recognise this
all the time in IT kind of ways, but you may also recognise the same process in
other fields – performing card tricks, hotting up cars, inventing the “frosbee
flop” technique in high jump or the winged keel for the America’s Cup. All of
these are in some sense breaking the mould, and traditionalists in the area
might argue, they are breaking the rules.

In a future article, I’ll get back to how
the bad guys exploit abnormal behaviour and how we can defend against this by
designing systems that catch problems at a general level rather than trying to
second guess the particulars of what they are up to. But for the moment, let’s
pause and consider the positive benefits from creative IT thinking – perhaps
the next time you pull out your smart phone, check on your friends online, then
google something up on the internet…